from the moral-panic-du-jour dept

Perhaps it's time to make an update to Reefer Madness, entitled Torrent Madness. A totally out of touch and clueless -- but powerful -- UK official, Andy Archibald, who somehow is the deputy director of the National Cyber Crime Unit at the National Crime Agency, is going around spouting nonsense about how file sharing is some sort of "gateway" into more crimes for young people today (found via Ars Technica):

"If you think about the illegal downloading of music, of videos and DVDs, I think that practice is more common than we might imagine within the youth of today.

"That's criminality.

"It's almost become acceptable.

"That's the first stages, I believe, of a gateway into the dark side."

Considering how many people engage in file sharing, if it actually were a "gateway" into further criminal activity, you'd think we'd be in the midst of an incredible crime wave. And yet, here are the stats straight from the UK government:

Obviously, correlation is not causation and yada yada, but doesn't that look like crime rates peaked just as file sharing really started taking off? If it were truly acting as a gateway to more crime, wouldn't that be showing up in the data somewhere?

But, no, good old Andy Archibald isn't troubled by the data. He knows that these evil hacker types are all showing up because of that no good file sharing:

"There are many of our young people, and not only young people, who are becoming highly skilled and capable in a digital environment," he said.

"It's important that they put those skills to good use and are not tempted to become involved, unwittingly in cyber criminality.

"They are members of forums and are exchanging ideas in a marketplace that criminals are looking (at).

"They are looking for people with technical skills who can compliment their criminal business.

But, he insists, the police don't want mass surveillance. They want "A narrative... that reassures the public." Funny, then, that it appears most of his speech was a bunch of nonsense designed to scare the public, huh?

from the breaking-the-internet dept

Microsoft posted a somewhat self-congratulatory blog post yesterday about how it was taking on a "global cybercrime epidemic" and effectively targeting systems used by malware. Of course, part of the details were that Microsoft totally misrepresented the nature of No-IP and how dynamic DNS solutions work. No-IP's parent company, Vitalwerks Solutions, was painted by Microsoft as being something of an accomplice to the malware epidemic, allowing Microsoft to convince a judge to seize a bunch of very popular No-IP domains without any notice or immediate recourse. Microsoft claims that it's just stopping malware, but the collateral damage from grabbing those domains is immense. According to No-IP:

Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.

We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.

As No-IP further notes, Microsoft could have easily contacted them, and the company would have taken action:

Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.

Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one.

Except, instead, it appears that Microsoft went to court (secretly, without telling Vitalwerks/No-IP) and convinced the judge that the company itself was violating the law. And the court bought it:

There is good cause to believe that, unless the Defendant Vitalwerks is restrained and
enjoined by Order of this Court, immediate and irreparable harm will result from its ongoing
violations the Anti-Cybersquatting Consumer Protection Act (15 U.S.C. § 1125) and the common
law of negligence. The evidence set forth in Microsoft’s TRO Motion, and the accompanying
declarations and exhibits, demonstrate that Microsoft is likely to prevail on its claim that this
Defendant has engaged in violations of the foregoing laws through one or more of the following:

a. Leasing to Malware Defendants No-IP sub-domains containing Microsoft’s
protected marks; and
b. Negligently enabling Malware Defendants to participate in illegal acts, and
failing to take sufficiently corrective action to stop and prevent the abuse of its
services, all of which harms Microsoft, Microsoft’s customers, and the general
public.

Given the nature of the ex-parte (without Vitalwerks being able to present its side of the story) proceedings, Microsoft was able to paint the fact that a platform provider (which has a full anti-abuse program), was somehow liable for actions of its users. This flies in the face of a variety of laws and caselaw on secondary liability, which protect the service provider from being held liable for abusive behavior by its users. Yet here, not only did the court ignore all of that, it simply flat out handed over to Microsoft a whole bunch of No-IP's domains (which, clearly, Microsoft was unable to handle), bringing down a big chunk of the web that relied on No-IP's dynamic DNS services.

This seems like a tremendously dangerous move for the internet in a variety of ways. Microsoft needs to take some of the blame. Even if its goal was to stop malware proliferation, there are better ways to do that than to falsely blame No-IP, and to misleadingly represent the service to the court, allowing the domains to be seized and rerouted.

from the that's-not-going-to-work dept

We didn't pay as much attention to the new proposals in the EU to ratchet up penalties for "cybercrime" in part because they came out just about the same time that the NSA surveillance information started leaking. However, someone who shall remain anonymous passed along to us a "group briefing" document from the EU Parliament team that came up with the latest cybercrime directive, which highlights a bit of the approach and some of the problems. The document is actually from a year ago, but it's definitely reflected in the final product. The entire focus of the document is on harsher penalties, even though there's no evidence that such penalties do any good or act as a deterrent. And, while the document does note that protecting "white hat hackers" is important for achieving "cybersecurity," apparently they had a lot of trouble agreeing on what to do to protect them:

As regards protecting "white hat hackers" as integral part of the internet's immune system we managed to achieve a very weak recital (6a bis) compared to the initial LIBE orientation vote. It is made clear that reporting of threats, risks, and vulnerabilities is crucial and needs incentives. The crucial last sentence, however, is not clear enough and far away from creating obligations for member states... Therefore there is no serious protection for white hat hackers who find vulnerabilities in other peoples' information systems and report them. we did howeveR start a debate at all and getting the whole EP united behind this.

[....] We managed to get a number of important safeguards in, and the fundamental debate on better IT security is opened. However the direct is in many ways worse than the old framework decision. Higher penalties and the criminalisation of more practices and even tools not only mainly symbolic, but even risks criminalising well-intended "white hat hackers" and curious teenagers. The problem was Council and a too weak negotiation strategy of the rapporteur at the very end.

From the details of the directive that came out, it appears that not many of these flaws have been fixed. Jan Philipp Albrecht, who was a part of the effort, clearly is not at all happy with how it came out:

But Albrecht attacked the directive, saying, "The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks.

"Top cyber criminals will be able to hide their tracks, whilst criminal law and sanctions are a wholly ineffective way of dealing with cyber attacks from individuals in non-EU countries or with state-sponsored attacks.

"Significantly, the legislation fails to recognise the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security.

This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.

"The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."

The equation here is pretty simple. Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.

End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

That's not good for anyone. But, it fits with the technically clueless "law enforcement above all else" mentality we see too often in government these days, which seems to think that "great enforcement" and "greater punishment" is the answer to any wrong, no matter how much evidence suggests that's untrue.

from the scary-scary-internet dept

It is a standing modern truth that you can take a scary word in the English language and turbocharge its terror factor by putting the word "cyber" in front of it. Don't believe me? Murder. Some guy stabs or shoots me. Cyber-murder. Holy crap! A dude can reach through the computer and electrocute my face! The problem, as we've discussed previously, is that many of the supposed facts used to hype cybercrime are massively overstated, and the unfortunately resulting hysteria breeds atrocities like The Patriot Act, because computers are terrifying and apparently the government is not. Of course, it doesn't end with crime. Cyberwar, cyber-terrorism, these words now permeate the bloodstream like terrifying nanobots, all while the use of technology and the internet marches forward at incredible rates.

According to Vance, cybercrime isn't just a growing trend—it's a fundamental shift in the way modern crime works. It has already reached a point where nearly every crime in the city involves a cyber component.

"It is rare that a case does not involve some kind of cyber or computer element that we prosecute in our office—whether it is homicide, whether it's a financial crime case, whether it's a gang case where the gang members are posting on Facebook where they're going to meet," said Vance.

It seems to me that just because there is a small element in a murder that involves a computer, that doesn't make it cybercrime, but that's apparently how it's being reported at the DA's office. This, of course, allows federal agencies like DHS and the CIA to get involved, where they, otherwise, would not.

The city is getting help from the Secret Service, Department of Homeland Security, local businesses, and others. This system of cooperation was actually set up in 2001 when President George W. Bush signed the PATRIOT Act into law. It established the Electronic Crimes Task Forces (ECTFs) under the Secret Service. According to the Secret Service website, "The concept of the ECTF network is to bring together not only federal, state and local law enforcement, but also prosecutors, private industry and academia."

I wouldn't want to necessarily suggest that having the alphabet agencies get involved at some level is always going to be a bad thing, but perhaps it is time we all had a conversation about how we, as citizens, want to be policed in America. That question is going to dovetail into whether or not we want scare-words like "cyber" to result in law enforcement evolving away from the local level to the federal level. For a country that bangs the "get government out of our lives" drum so frequently, often from the party that spawned The PATRIOT Act no less, we seem quite willing to let irrational fear dominate us.

from the not-listening dept

One of the striking -- and depressing -- features of the Internet today is the almost universal desire of governments around the world to rein it in through new laws. We wrote about one such attempt in the Philippines a couple of months ago, where the government is trying to bring in some particularly wide-ranging and troubling legislation. Although the Philippine Supreme Court put a temporary restraining order on the law, the Philippine government is not softening its stance, and has asked the court to lift the order. Its arguments are pretty worrying:

"there is always a presumption of validity that attaches to every legislative act"

Oh, really?

It also said the law only "regulates and penalizes" acts defined as cybercrimes like hacking, and does not prevent the petitioners from using the Internet and expressing their thoughts.

Well, that rather depends on how you define cybercrimes, of course.

The government said "traffic data" referred to in the Cybercrime Law is "non-content data" that consists of the origin, destination, route, time and date of the communication. It said that unlike content data, which is considered private, traffic data is an "auxiliary to the communication and is necessarily shared with a service provider who is a third party."

That is exactly the same erroneous argument used by the UK government to justify its Snooper's Charter. The problem is that some traffic data -- like destination Web addresses -- give considerable information about the content being viewed. For example, if people are visiting Web sites that are critical of the Philippine government, it's pretty clear what they are reading about.

The GMA News piece quoted above lists many other dubious arguments given by the Philippine government in favor of lifting the ban. Ironically, the way it dismisses or ignores the important issues raised by petitioners to the Supreme Court only serves to confirm the impression that the government is not really interested in achieving a fair and balanced solution here, but intends to push through its plans regardless.

Justice Secretary Leila de Lima said a "temporary restraining order" was issued by the Supreme Court on Tuesday.

Such an order stops Philippine laws from taking effect until further orders from the court, while making no immediate judgement on their legality.

The same article reports on the widespread protests the new law has provoked:

Human rights groups, media organisations and netizens have voiced their outrage at the law, with some saying it echoes the curbs on freedoms imposed by dictator Ferdinand Marcos in the 1970s.

Philippine social media has been alight with protests, while hackers have attacked government websites and petitions have been filed with the Supreme Court calling for it to overturn the law.

It's great to see the Supreme Court recognizing that there might be a problem here, but it's too early to assume victory. The law might still go into operation -- with what looks like dire consequences for the Internet and civil rights in the Philippines.

from the fearing-fear-itself dept

Through TNW, we learn of a survey published by threat protection company Bit9 that states an attack by Anonymous is the number one thing IT security professionals fear. Doubtless the release of this survey was timed to coincide with CISPA, the dangerous cybersecurity bill that is being debated in the House this week. It's no surprise that a security provider would want to play up the fear of cyber attack, but I'm reminded of a quote from comedian Dara O'Briain: "Zombies are at an all time low level, but the fear of zombies could be incredibly high. It doesn't mean we have to have government policies to deal with the fear of zombies."

Apart from the fact that the fear of something is pretty meaningless (except to those who sell security, and those who want to pass bad laws), the details of the survey make it clear that this is entirely a matter of the hype around Anonymous:

61% believe that their organizations could suffer an attack by Anonymous, or other hacktivist groups.

Despite the utter sense of fear that Anonymous has created over the years, 62% were more worried about the actual method of attack, with malware accounting for the most cause for concern at 48%.

Only 11% of the respondents were concerned about one of Anonymous’ actual methods of attack – DDoS, while fears over SQL injections dipped to a measly 4%. Phishing was a concern for 17% of the respondents.

So, despite the fact that Anonymous apparently has them shaking in their boots, they know that their real vulnerability is malware—and that's not really Anonymous' game. The fear is manufactured.

What this survey calls attention to, though, is a fact that deserves more attention: under CISPA or a similar law, Anonymous would make a juicy target. Security companies and the government could collude and share data not only to strengthen their networks against attack, which would itself be perfectly reasonable, but also to identify and investigate Anonymous members, notwithstanding any other privacy laws. Regardless of how you feel about Anonymous' tactics, this should concern you: privacy rights and the 4th Amendment exist for a reason, and CISPA would wash them away online. The authors of the bill insist that it targets foreign entities, but it is arguably an even stronger weapon against domestic hacktivism that will inevitably be used and abused.

from the because-they're-not-losses dept

We've talked about exaggerations in "losses" due to infringement for many years. However, we've also discussed how claims of "losses" due to so-called "cybercrime" are also massively inflated. It appears that others are figuring this out as well. The NY Times has an op-ed piece from two researchers, Dinei Florencio and Cormac Herley, highlighting how all the claims of massive damages from "cybercrime" appear to be exaggerated -- often by quite a bit:

One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.

Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).

For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors — or outright lies — cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.

This is pretty common. In the first link above, we wrote about how a single $7,500 "loss" was extrapolated into $1.5 billion in losses. The simple fact is that, while such things can make some people lose some money, the size of the problem has been massively exaggerated. As these researchers note, this kind of thing happens all the time. They point to an FTC report, where two respondents alone provided answers that effectively would have added $37 billion in total "losses" to the estimate.

This doesn't mean that the problems should be ignored, just that we should have some facts and real evidence, rather than ridiculous estimates. If the problem isn't that big, the response should be proportional to that. Unfortunately, that rarely happens. In fact, combining this with the recent ridiculous stories about the need for "cybersecurity," perhaps we can start to estimate just how much of an exaggeration in FUD the prefix "cyber-" adds to things. I'm guessing it's at least an order of magnitude. Combine bad statistical methodology with the scary new interweb thing, and you've got the makings of an all-out moral panic.

from the seems-a-bit-broad dept

While we're still sorting through the crazy cybersecurity bill proposals in the US, it appears that some in the EU are going through a similar process. The EU Parliament's "Civil Liberties Committee" has approved a legislative proposal concerning "cyber attacks," which appears to ramp up criminal penalties for all sorts of broadly defined activities. It even applies criminal penalties to a company if an employee hacks into a competitor's database (even if they weren't told to do it). But where it gets scary is when it appears to directly target "hactivism" like what Anonymous does. While we still think Anonymous' DDoS attacks are incredibly counterproductive, are they really criminal?

The Committee's proposals would make it a criminal offence to conduct cyber attacks on computer systems. Individuals would face at least two years in jail if served with the maximum penalty for the offence.

A maximum penalty of at least five years in jail could apply if "aggravating circumstances" or "considerable damage ... financial costs or loss of financial data" occurred, the Parliament said in a statement.

One aggravating circumstance in which the heavier penalty could be levied is if an individual uses 'botnet' tools "specifically designed for large-scale attacks". Considerable damage may be said to have occurred through the disruption of system services, according to plans disclosed by the Parliament.

Even more ridiculous? Merely "possessing... hacking software and tools" could lead to criminal charges. Does that make everyone with a computer a criminal? This whole thing seems like a bad overreaction by politicians who are freaked out, but who clearly don't understand the technology in question.

from the getting-sick-of-the-word-'cyber' dept

FBI Director Robert Mueller recently spoke at a cybersecurity conference where he reiterated his belief that so-called cybercrime will soon surpass terrorism as the biggest threat in America. Perhaps this means that the FBI plans to start manufacturing cyber-threats like they do with terrorist plots—or perhaps it means that, as some people have been saying for years, cybercrime is just crime. Of course, in a room full of professionals who stand to make more money if people are scared of online threats, he's not likely to get a lot of argument.

That's not meant to dismiss cybersecurity professionals—obviously they do a lot of important work, and obviously the FBI is going to need their assistance for plenty of things. But to call cybercrime the country's biggest threat is to lump together a whole bunch of unrelated crimes, most of which aren't even new:

"We are losing data, we are losing money, we are losing ideas and we are losing innovation,' Mueller said at the RSA Conference in San Francisco. 'Together we must find a way to stop the bleeding."

The dangers posed by organized cyber-crime, rogue hacktivists and computer breaches backed by foreign governments have become a focus for the FBI.

Counterterrorism is still the agency's top priority, but the agency has retooled to prepare for Internet-based aggressors, Mueller said. Cyber-squads in every FBI field office now monitor for crimes ranging from mortgage and health care fraud to child exploitation and terror recruiting, he said.

Presumably the FBI already has people specializing in mortgage and health care fraud, child exploitation and terror recruiting—so why portion off the "cyber" versions of these crimes into a separate "squad"? To then combine those things with hacktivism and online espionage just makes the category of "cybercrime" utterly meaningless. It is indicative of their struggle (which mirrors that of governments, the entertainment industry and others) to understand a core concept: the internet is not a separate thing. And even if there is a good administrative reason for organizing things in this way, it is highly misleading to call such a diverse array of crimes a single giant threat.